Posted
by
timothy
on Monday September 09, 2013 @07:09AM
from the press-one-if-you-have-used-our-system-before dept.

Sparrowvsrevolution writes "It should come as no surprise to Bitcoin users that despite the pseudonymity the cryptocurrency offers, its transactions can be tracked. But University of California at San Diego researcher Sarah Meiklejohn proved that privacy problem more clearly than ever by showing a reporter that she could detect a specific point in Bitcoin's blockchain record of transactions where he had spent Bitcoins in exchange for marijuana on the Silk Road, the most popular online Bitcoin-based black market for drugs. To simulate a law enforcement subpoena, the reporter for Forbes began by giving Meiklejohn a Bitcoin address associated with Forbes' account. But with just that information, Meiklejohn was able to draw on a "clustering" analysis she had performed to identify Silk Road addresses and match them with the one used in the .3 BTC drug buy. She admits that a user who took more efforts to obscure his or her Bitcoin address through a laundering service or other unidentified Bitcoin wallets would be harder to track."

That's not what address means in a bitcoin context. An address is more like an account, and if random people are using your account then you probably lose your money. The problem lies in proving who has the keys to that specific account and to do that you probably need direct access to the keyowners computer. And the smart ones keep their keys encrypted on offline computers.

Indeed, you're right: lots of idiots seem not to grasp the difference between "Pseudonymous" and "Anonymous".

And don't understand the whole purpose of bitcoin (although it's usually clearly stated on all promotionnal material).

Bitcoin isn't done to be hidden and secret. (Nobody could know about a transaction beyond the two transacting parties). In fact that's the exact opposite: bitcoin are broadcasted widely accross the whole network, so the whole network works as a trusted witness of the transaction and no single malevolent entity could fake or falsify transaction (unless they control at least 51% of the whole network, which is rather difficult due to the computing power deployed by all mining participant).

Bitcoin simply doesn't dirrectly advertise actual full name and identifications for each transaction, bitcoin simply attaches a (still traceable - and thus most importantly for the whole service - still verifiable) public key to each transaction.

Bitcoin is done to be *out-of-reach* / *out-of-control*. Yes, it's not impossible to track down the identities behind a transaction. BUT even if government got the names, it can't go and knock at some banks door with order to freeze accounts. There are no accounts, there are no banks. Nobody can't force anything nor falsify anything (at least not without the necessary 51% control mentionned above. Which is currently even out of reach of the NSA). There's no goverment who could suddenly start manipulating exchange rates/inflation/etc.

Bitcoin has been designed so there's nothing that could be done beyond what the 2 participant of a transaction decide.

Don't use Bitcoin to hide. Use bitcoin to be the only in charge with what happens with your money.

There is the rub: FinCEN knows who is using the currency at all times by the way things are broadcast. Right now, not many people are having doors kicked down, but in theory, it is good enough proof to start arrests, or at the minimum start investigations.

So far, other than the "ooo, cool" aspect, I've not seen anything that makes BitCoin better than just using PayPal. BitCoins have major swings in value [1], there is no anonymity involved, and using BitCoins is like firing a signal flare to any LEO down

They are not equivalent, nor are they related. However, people believe that because Pseudonyms are easy to create that it permits a certain level of Anonymity. However anyone confusing the two needs to be educated.

For BitCoins to be useful, anonymously, one would have to use one time wallets, with random disposable public IP addresses, with coins that have been washed in a public coin laundry. All of this is neither easy nor convenient, but it is p

Not if you buy anything meaningful. If both parties in a trade are fully anonymous, and there is no intermediary, trust cannot exist. Either the buyer can avoid paying for the goods, or the seller can avoid actually delivering them.

(If I recall correctly, there may be some extremely few information goods which can be securely sold in this manner, namely proofs of hard mathematical statements. Then you can mess around with blind signatures and zero-knowledge proofs. But t

There's nothing to stop a government agency or criminal with a zero-day from taking over those endpoints and monitoring/creating/deleting/hiding any active bitcoin transaction they like.

The fundamental difference between decentralized crypto-currencies like bitcoin and absolutely every other form of currency, is the absence of central control.Yes the could hack into your computer. But that would *require* hacking into the computer (which nonetheless would also be pretty much illegal under lots of jurisdiction in the absence of a whole mandate paperwork. And even if the likes NSA and co might still be doing it, there are still going for trouble once exposed).Whereas dollars, euros, yens, sw

A cryptocurency where everyone has a record of every transaction can be used to find a transaction between twoknown addresses? Is anyone surprised?

" the reporter for Forbes began by giving Meiklejohn a Bitcoin address associated with Forbes' account. But with just that information, Meiklejohn was able to draw on a "clustering" analysis she had performed to identify Silk Road addresses"

They had only the buyer's bitcoin address. The rest was extrapolated.

This eliminates privacy for any transactions made from a bitcoin account funded via a normal (ie government monitored) bank account, which is one of the main reasons to use bitcoins to start with.

Still, they only proved that Forbes had bought something at Silk Road. There are legal things being sold on silkroad too, and anyway the law is not indifferent to whether you bought cocaine or contraband.

The point at which Forbes would get in trouble, was when law enforcement matched a known purchase on silk road to a shipment to a known address. Bear in mind, they could be on watch for a mysterious package in the mail to Forbes, based on nothing more than what the researched uncovered in this case.

He knew the exact time he made the transaction. He knew the amount. He knew other details.

So, really, wtf?

I am not going to read the article. This is some sort of fear mongering.

Ya stupid article (I didn't read it either). They purchase something safe like marijuana then have the balls to say they purchased drugs.Buy some Adderall I've seen lots of that for sale on the silk road.

RTFS. The researcher didn't know any of those details. She was given only a Btc address, and she discovered the rest. The reporter who made the buy was able to confirm that she correctly identified those facts. ( I assume it was a test buy, and the materials turned over to the proper authorities.)

I don't know if her methods would stand up in a courtroom. They would, however, be enough to put John Law on someone's trail, and possibly enough to seek a warrant.

RTFS. The researcher didn't know any of those details. She was given only a Btc address, and she discovered the rest. The reporter who made the buy was able to confirm that she correctly identified those facts. ( I assume it was a test buy, and the materials turned over to the proper authorities.)

The materials were not turned over to authorities, but were thoroughly destroyed. I believe the method used was "a series of small fires".

All the researcher discovered was that the writer had sent funds to Silk Road. The article specifically points out they couldn't tell what, if anything, the bitcoins were used to buy. The headline is sensationalist, to say the least.

No, but if the researcher had been law enforcement rather than a mere graph-savvy computer scientist, they could find out. They would just monitor Forbes' mailbox (and maybe other likely delivery spots). Since they would know the Silk Road purchase happened as soon as it happened, they could be confident that something would drop into that mailbox.

That would be a guess. All LE, or anyone without inside access to Silk Road, could see is the funds going to the Silk Road wallet. Beyond that, there's no way to tell AFAIK. If the sender buys something, they could do it immediately, or not. They could wait months, with the coins there on their SR account. They might not even buy anything, they might just be using SR as a mixer service and withdraw to a different address to break the connection between themselves and their bitcoins.

there was direct transaction to a known drugs seller account on the chain and this is the news?

it would be a bit more impressive if would work out who bought drugs from looking at the drug sellers bitcoin history(and somehow identifying who the wallets belong to and where the drugs were sent to..).

Just generate a new address whenever you buy illegal things if that's what you are into, or have several wallets that you rotate between to perform your transactions. If you reuse an address over and over again, of course you can be tracked. The safety factor is directly proportional with your ability to understand how this works and how you can be tracked

That sounds terrible... if this would become mainstream, that would mean that for 95% of the population using bitcoins safely would be too hard.If the system is so unsafe and easily to track if you use it normally, then i don't see where the anonymous claims of bitcoin come from.And if you have to create new wallets all the time to be really safe & not trackable, why the hell did they call it a wallet? a wallet is the thing you keep unchanged for years in real life, not something you throw away every da

then rename it to "receipt" (something you throw away regularly), automate the process of generating new ones, and forget about it. Silly attachments to antiquated concepts is the whole problem we're trying to solve here. Let's not get all, "they called it a wallet--it must behave exactly like a wallet!"

If the system is so unsafe and easily to track if you use it normally, then i don't see where the anonymous claims of bitcoin come from.

Actual bitcoin proponent never claimed that it was ANONYMOUS (That would imply a hidden identity). They only mentioned that it is PSEUDONYMOUS. There are clear identities: they are not your actual name, but mainly your public keys. These keys are still traceable and thus - and that's the most important part for the whole service to work as intended - also still verifiable by anyone in the network. Anyone can verify any transaction because all public key and transaction are broadcasted on purpose to the whol

A malevolent agent would need to control at least than 51% to outvote and falsify transaction history...

Note that "falsify" in this context is still limited to blocking or reversing existing (valid) transactions. A person with 51% of the hashing power of the entire network could spend bitcoins from his own accounts multiple times, or allow someone else to do the same, or prevent someone (or everyone) else from spending their bitcoins. He still wouldn't be able to spend anyone else's bitcoins without their private key, no matter how much of the mining he controls. The winning miner chooses the transactions whi

Well actually you could do worse.If you had almost unlimited computing power, you could generate your own private keys and actually rewrite a "different" bitcoin transaction history. If you control enough hashing power AND bitcoin nodes, you could actually present your version of bitcoin history as the official one and the current one would like a fork attempt.

In theory.In practice you would probably require a magic virus which turns the whole internet into a giant botnet to pull this stunt.

Looking back I see that I wasn't entirely clear. I did actually mean to include this possibility; a 51% attack can result in supposedly settled transactions being reversed, along with transactions which have not yet made it into a block.

Any miner can choose which block to base their new block on; it doesn't have to be the latest one in the dominant blockchain. However, honest nodes will prefer the branch of the blockchain with the highest total difficulty, so by choosing an older block you're starting at a

I'm pretty sure some bitcoin proponents have claimed that, unless you want to get into No True Scotsman arguments.

We're not speaking ethics or moral or other complex softscience.It's math and crypto. Either you do understand bitcoin and your opinion matters.Or you're clueless and could as well be claiming that bitcoin were invented by aliens as a complex plot to hypnotise the president of the wolrd into making homosexuality mandatory.

I am simply saying that nobody who did actually understand how bitcoin work could even honestly claim that bitcoin guarantee true anonymity.

That sounds terrible... if this would become mainstream, that would mean that for 95% of the population using bitcoins safely would be too hard.

We live in a world were for 99.9% of the population, using bitcoins at all is too much of a hassle compared to whatever benefit is supposed to come from it. Me, for example. I just don't have a use case for those things.

Yeah and how would the money arrive in that separate address/wallet to be spent on drugs?

Unless you only generate the bitcoins you spend purely by mining (in which case you must have very strong and thus expensive processing/hashing power) at some point bitcoin money needs to be transfered to this wallet before being spent on banned goods.

By using a separate address/wallet (which is nonetheless a good *security* advice, only not an efficient advice to *hide identity*) you only add just on extra step of the

Just generate a new address whenever you buy illegal things if that's what you are into, or have several wallets that you rotate between to perform your transactions. If you reuse an address over and over again, of course you can be tracked. The safety factor is directly proportional with your ability to understand how this works and how you can be tracked

The weakness isn't the bitcoin address as such - it's being able to link that bitcoin address to the buyer. You could have any number of bitcoin addresses but if they're all (or partly) tied back to you...via your bank accounts for example, then you're just as fucked.

You are mitigating risk, you are not eliminating it. You can go to the absurd extreme or do less, like running your wallet through TOR for example. The idea here is to minimize your exposure...but the very act of using Bitcoin is risky, so you have to make choices based on risk factors.

You are mitigating risk, you are not eliminating it. You can go to the absurd extreme or do less, like running your wallet through TOR for example. The idea here is to minimize your exposure...but the very act of using Bitcoin is risky, so you have to make choices based on risk factors.

What would be more interesting is to take a big enough sample so that the proportion of bitcoins that can be traced to drug purchases can be determined. Is it higher or lower than the proportion of US dollar bills [cnn.com] with traces of cocaine on them?

Idiot. I'd rather someone points out the mistaken assumptions *publicly* than have people live in ignorance. She didn't create the problem, she's just pointing it out. This is straight up full disclosure security. If you have a problem with that, then you haven't been paying attention to security for the past decade.

If they had their shit together enough to go out and deal with reality and other humans, they wouldn't need drugs in the first place.
But in all seriousness, these are the same idiots that have drugs mailed or FedEx'ed to them and think that they are going to get away with it.

I mean, I wouldn't buy clearly illegal things over the internet, especially from total strangers, because it seems like the potential for getting caught would be pretty high. But I also wouldn't buy these specific illegal things from people I do know, even if I wanted them, because I don't *know* any. And it's not like you can just walk out in the street and yell "hey, anyone know any dealers of illegal narcotics?!", and expect to get any responses other than, if you're lu

So, you use TOR (I know, NSA yada-yada, just use the latest source and compile yourself ) over a VPN you bought with bitcoins anonymously, with a freshly opened google/yahoo/riseup/whatever account for the store/market/service...

You use your gaming machine to run for a few days to generate the 0.3 BTC/LTC/whatever coin. You run your miner over tor/vpn/i2p through a service that doesn't need a signup.

You create a new wallet and you make one transaction.. over VPN (or VPNs and TOR and/or i2p)